Knowledge Management

How to range columns and rows ?

jw44250
New Member

I have the following result from Splunk Query using appCols because same logs always has different events with different message

message1 or message2 just a name..

Message Count1 Message2 count2
hello 5 hi 10

Output i am looking is :
Message count --< Header Fields>
hello 5

hi 10

Tags (3)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Instead of appendcols, you should use just append. Also, remember to rename the fields in 2nd search (Message2 and count2) same as first search.

search 1 | table Message Count
| append [search 2 | table Message2 Count2 | rename Message2 as Message Count2 as Count ]

See this to know difference between append and appendcols.
https://answers.splunk.com/answers/144351/what-are-the-differences-between-append-appendpipe.html

0 Karma

jw44250
New Member

it is same index. but i have to extract different fields each time from events.. since the events returns has different message

0 Karma

jw44250
New Member

i using transport i didnt work ..

0 Karma

jw44250
New Member

Thanks it did work.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Glad it's working for you. If it's same index, you probably don't need a subsearch. If you could share you search, we can look at it to see if both searches can be merged into one for better performance.

0 Karma

jw44250
New Member

Here is the Splunk Query..

index=index1 sourcetype=index1_log | rex field=_raw "(?exception\s\w+\s\w+)" |stats count by Message| table Message count | append
[search index=index2 sourcetype=index2_log | rex field=_raw "(?message\s\w+\s\w+)" |stats count as count1 by message| table message count1 |rename message as Message count1 as count] | rename count as "Hit Count"

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

(index=index1 sourcetype=index1_log) OR (index=index2 sourcetype=index2_log) 
| rex field=_raw "(?<Message>(exception|message)\s\w+\s\w+)" 
|stats count as "Hit Count" by Message
0 Karma

jw44250
New Member

let me tried it..thanks

0 Karma

jw44250
New Member

When adding timechart span=3h count usenull=f useother=f into both indexes getting error :- please rename count columns.

0 Karma

somesoni2
SplunkTrust
SplunkTrust

YOu're getting that in same query?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...